Output PURLs for components
ErinvanderVeen opened this issue · 0 comments
ErinvanderVeen commented
CycloneDX analysis programs like snyk use the purls of the components to lookup CVE's to report, there exists no nix
PURL (yet). But as an alternative we can use the generic
PURL Type, which we can extract from the src
attribute of derivations. This might result in false positives (because Nixpkgs often includes its own patches into the source), experimentation is needed.
Subtask of #2